MedusaLocker

Malware Profile Updated 8 days ago

Download STIX

Preview STIX

MedusaLocker, first observed in September 2019, is a potent ransomware variant that primarily targets Windows machines through spam. This malware should not be confused with Medusa, a Ransomware-as-a-Service (RaaS) platform active since late 2022. MedusaLocker has been utilized by various ransomware operations, including AvosLocker, BlackCat, Trigona, and LockBit. It appends the ".crypto1317" extension to infected files and drops a ransom note named "How_to_back_files.html". Like other ransomware, it terminates specific services by referencing a hardcoded list of services. The MedusaLocker variant was notably successful in infecting and encrypting systems, particularly within the healthcare sector. According to a February 2023 report by the US Department of Health and Human Services, the malware leveraged the confusion and disorder during the COVID-19 pandemic to launch attacks. After initial access, MedusaLocker spreads through a network via a batch file executing a PowerShell script. This process disables security and forensic software, restarts the machine in safe mode to evade detection, and then employs AES-256 encryption to lock files. Despite being lesser-known, MedusaLocker's impact has been significant on a global scale, with its strains seen in Singapore’s threat landscape reflecting global trends. Its deployment has been alongside other common RaaS models such as LockBit and DeadBolt. The new MedusaLocker variant was discovered by PCrisk, highlighting the ongoing evolution and threat posed by this malware. As such, caution should be exercised when dealing with suspicious downloads, emails, or websites, as these are common infection vectors for such malicious software.

What's your take? (Question 1 of 5)

Help tune the shared Cybergeist dataset, assist your peers, and earn karma. Expand the panel to get started.

Possible Aliases / Cluster overlaps

It's hard to track cluster overlaps and naming conventions between vendors, so here are some possible overlapping names / profiles you also may want to look at.

ID	Votes	Profile Description
Medusa	2	Medusa, a threat actor group, has been identified as a rising menace in the cybersecurity landscape, with its ransomware activities escalating significantly. In November 2023, Medusa and other groups like LockBit and ALPHV (BlackCat) exploited a zero-day vulnerability known as Citrix Bleed (CVE-2023

Miscellaneous Associations

Other elements of context that could aid in the identification of relevance

Ransomware

Encrypt

RaaS

Encryption

Toyota

Windows

Health

Government

Ransom

Malware

Phishing

Singapore

Extortion

CISA

Exploit

Spam

Tool

Associated Malware

To see the evidence that has resulted in this association, create a free account

ID	Type	Votes	Profile Description
Lockbit	Unspecified	2	LockBit is a type of malware, specifically ransomware, that infiltrates systems to exploit and damage them. It can enter your system through various channels such as suspicious downloads, emails, or websites, often without the user's knowledge. Once inside, it can steal personal information, disrupt
Trigona	Unspecified	1	Trigona, a malware identified in 2022, emerged as a significant ransomware threat. This malicious software, designed to exploit and damage computer systems, infected devices through suspicious downloads, emails, or websites. The malware was particularly notorious for targeting Microsoft SQL servers,
Chromeloader	Unspecified	1	ChromeLoader, first identified in early 2022, is a persistent and evolving malware family known for hijacking browsers, stealing sensitive information, and running additional payloads such as other malware families. This malicious software is particularly harmful as it can infiltrate systems without
Redline Stealer	Unspecified	1	RedLine Stealer is a type of malware that has been causing significant disruption in the digital landscape. This malicious software infiltrates computer systems, often without the user's knowledge, via suspicious downloads, emails, or websites, and then proceeds to steal personal information, disrup
Medusa Ransomware	Unspecified	1	Medusa ransomware is a malicious software designed to infiltrate systems, steal personal information, disrupt operations, and hold data hostage for ransom. It often enters systems through suspicious downloads, emails, or websites unbeknownst to the user. Once inside, it leaves a ransom note, demandi
AvosLocker	Unspecified	1	AvosLocker is a type of malware, specifically a ransomware, that has been causing significant issues across the digital landscape. Ransomware is a form of malicious software designed to exploit and damage computer systems, often infiltrating through suspicious downloads, emails, or websites without

Associated Threat Actors

To see the evidence that has resulted in this association, create a free account

ID	Type	Votes	Profile Description
Alphv	Unspecified	1	AlphV, also known as BlackCat, is a notable threat actor in the cybersecurity landscape. This group has been involved in numerous high-profile attacks, including stealing 5TB of data from Morrison Community Hospital and compromising Clarion, a global manufacturer of audio and video equipment for car

Associated Vulnerabilities

To see the evidence that has resulted in this association, create a free account

ID	Type	Votes	Profile Description
No associations to display

Source Document References

Information about the MedusaLocker Malware was read from the documents corpus below. This display is limited to 20 results, create a free account to see more

Source	CreatedAt	Title
Securityaffairs	6 days ago	FIN7 group advertises new EDR bypass tool on hacking forums
Securityaffairs	9 days ago	FIN7 group advertises new EDR bypass tool on hacking forums
CERT-EU	8 months ago	The Week in Ransomware - November 17th 2023 - Citrix in the Crosshairs
CERT-EU	6 months ago	Ransomware victims are being offered payment extension plans as groups ratchet up pressure \| #ransomware \| #cybercrime \| National Cyber Security Consulting
Unit42	6 months ago	Medusa Ransomware Turning Your Files into Stone
CERT-EU	a year ago	Ransomware and phishing attacks continue to plague businesses in Southeast Asia \| #ransomware \| #cybercrime \| National Cyber Security Consulting
CERT-EU	10 months ago	Hackers attack PhilHealth’s website, systems \| #hacking \| #cybersecurity \| #infosec \| #comptia \| #pentest \| #ransomware \| National Cyber Security Consulting
CERT-EU	9 months ago	The Week in Ransomware - October 20th 2023 - Fighting Back
CERT-EU	9 months ago	Medusa Claims Canadian Psychological Association Cyberattack
Quick Heal Technologies Ltd.	9 months ago	MedusaLocker Ransomware: An In-Depth Technical Analysis and Prevention Strategies
CERT-EU	10 months ago	MEDUSA Cyber Attacks: Two New Victims Added To The List!
CERT-EU	10 months ago	PhilHealth hit by ransomware – report \| #ransomware \| #cybercrime \| National Cyber Security Consulting
CERT-EU	a year ago	The Week in Ransomware - March 10th 2023 - Police Take Action
CERT-EU	a year ago	Nine looks for new cyber security director
CERT-EU	a year ago	French town of Sartrouville recovering from cyberattack claimed by ransomware gang
CERT-EU	10 months ago	Philippines state health org struggling to recover from ransomware attack
CERT-EU	10 months ago	French town of Sartrouville recovering from cyberattack claimed by ransomware gang \| #hacking \| #cybersecurity \| #infosec \| #comptia \| #pentest \| #ransomware \| National Cyber Security Consulting
CERT-EU	7 months ago	What doToyota's data breaches teach us about cybersecurity? \| #hacking \| #cybersecurity \| #infosec \| #comptia \| #pentest \| #ransomware \| National Cyber Security Consulting
CERT-EU	8 months ago	The Week in Ransomware - December 1st 2023 - Police hits affiliates
CERT-EU	7 months ago	86% of cyberattacks are delivered over encrypted channels - Help Net Security